Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    On several underground forums, a cybercriminal named gripper is selling ATM skimmers and fake POS terminals, and is making some very bold claims doing so:

    Figure 1. Underground advertisement.

    The cybercriminal claims that he can mass-produce VeriFone VerixV point-of-sale (PoS) devices. (Verifone is a US-based provider of POS terminals.) Some specific VeriFone products such as the Vx510, the Vx670, and the Vx810 Duet are specifically mentioned. These rogue terminals can be used in a store to steal the credit card information of customers; the stolen information is then used or sold on the black market.

    In addition, the seller wants to prove that he is a reputable seller and said he is willing to provide ship his product anywhere in the world, as well as provide 24/7 support. He went on to say:


    These criminals claim they are able to mass produce almost anything related to ATM and PoS devices. One such ad listed the parts and devices they can produce and ship, with some prices in parentheses:

    • Fake berifone VerixV terminals (VX510, 670 and 810 Duet)
    • Gerber file for producing the PCBs for MSRV009 credit card readers
    • ATM panel, camera panel, and keypads for Wincor ProCash2050xe ATMs
    • green cover panel and camera panel for NCR 5886 ATMs ($1850)
    • apple ring and camera panels for NCR Self Serve ATMs ($2000)
    • keypard for Wincor ATMs ($1000)

    Producing parts for ATM skimmers and fake PoS terminals is not new; it has been reported by other researchers since 2011. What is very worrying is that the sellers are claiming that they can mass-produce these items from locations in China. This is something we should be worried about as mass production of these devices or parts could result in more bank fraud for end-users. The sellers appear to be quite knowledgable about developments in ATM skimmers and PoS terminals; they are also very open in what they offer to would-be buyers. In fact, several customers have already vouched for gripper, sharing their good customer experience with this seller.

    A gallery of pictures supplied by the cybercriminals in order to promote their wares follows.

    Figures 2-5. ATM skimmer and PoS terminal images

    Posted in Bad Sites |

    We recently came across this particular post in an underground forum:

    Figure 1. Underground forum post

    This particular post in Russian was advertising a new product, known as “BlackOS”. Contrary to the name, it is not an operating system. However, it is definitely “black”, or malicious: it is used to manage and redirect Internet traffic from malicious/compromised websites to other malicious sites.

    These types of products are not new in underground communities – for example, Brian Krebs talked about the similar site almost two years ago. Even BlackOS itself is not completely new. It is a new version of the earlier “Tale of the North” software, described by security researchers in September 2013.

    Capabilities of BlackOS

    BlackOS and other similar packages are designed to automate the process of managing and exploiting websites easier. This allows a cybercriminal to squeeze out the most profit from his victims. It has a web interface which is used to manage the web traffic and its different features. It can cope with high volumes of Internet traffic, and inject iframes and redirect traffic as specified by its user.

    Here are some of the features of BlackOS, as stated in an advertisement in underground forums (as translated from the original Russian):

    1) Implement the optimal model of converting traffic. Distribute and installs on geo user agent;
    2) Get a unique opportunity to refuse to sell iframe traffic ;
    3) Automatically detect PR domains , links and implement an effective impact on the issuance of search engines ;
    4) Get a fast , stable and socks5 private lists for any of your software, requiring the use of proxy;
    5) Sort the list of accounts as fast as possible ;
    6) Upload any of your scripts with verification . Pour shells and mass execute commands on them set / code cleanup , eval (), system (), sendmail and check antiDDOS ;
    7) Perform a vulnerability scan on your servers
    8) Proccess the parsing Databases of remote CMS

    New features for managing accounts, along with a powerful SEO tools and interface as intuitive novice webmasters and professionals allow us to hope that BlackOS take its rightful place on your work space.

    BlackOS is not particularly cheap. It costs $3,800 a year; a reinstall/rebuild costs $100. For cybercriminals on a budget, basic configurations (16GB of RAM, octacore CPU, and SSD storage) can be rented for $100 a month. (The creators of BlackOS only accept payment in Bitcoin, Litecoin, or Perfect Money.)

    One of the features of BlackOS is integration with online scanners that check if a website is already blocked by various security solutions, as seen below:

    Figure 2. Online scanner
    (Click image above to enlarge)

    As we mentioned earlier, BlackOS appears to be an updated version of the previous Tale of the North package. One may ask why, then, is it being sold as “new” software? For that, we have to look into the Tale of the North and its author, Peter Severa.

    Peter Severa and the Tale of the North

    Peter Severa, who uses the handle Severa in various underground forums, began as a spammer as far back as 2003. He has used various spam botnets to send spam, including the Waledac and Kelihos botnets – in fact, he is currently facing criminal charges relating to his use of the latter. This has not scared him, though: to this day he is still active in the underground.

    His ICQ and Jabber accounts are well-known to the underground community; he also had a Webmoney account at one time, although that account was banned. We believe that the now-banned account was used by another “handle”, which was actually Severa hiding his identity. We also believe that Severa has a new Webmoney account.

    Severa wrote Tale of the North to manage the web traffic coming from users clicking links in his spam emails. For example, he could redirect users to various websites based on their geographic location.

    Recently, however, there appears to have been a dispute between Severa and other people involved with Tale of the North. According to the following underground forum post, Severa left the project and the other “contributors” have continued under the BlackOS name:

    Figure 3. Underground forum post
    (Click image above to enlarge)

    A partial translation of that post follows:

    BlackOS previously sold as North Tale. We had a team and there was a conflict, and I closed the project. The system is now marketed under the name BlackOS, and I have nothing to do with it now. I make no claims to manager/BlackOS; all conflicts between us completely settled and I wish him success in his future development and sales of the software. It ‘s a really cool product that is unparalleled in the market, which required a decent number of man-years of development

    We don’t know much about who’s selling BlackOS now. His Jabber account is publicly known (so would-be clients can contact him), and he also goes by the handle manager. Beyond that, his identity is unclear.

    What about Severa? He hasn’t left the underground community. He is now running two active affiliate programs—both named partially after himself: SevPod and SevSka—that spread spambot malware.

    In February, Severa was advertising SevPod in forum posts, like this one:

    Figure 4. SevPod advertisement
    (Click image above to enlarge)

    A partial translation follows:

    I want to introduce you to your new project – a private affiliate for substitution issue, {affiliate program URL}. I managed to make a really long-lived substitute, and your download will bring you income for many months, even after you stop shipping. Unlike other substitutions, I have bids for virtually all countries. Of course, miracles do not happen, and you will get the maximum revenue from the US, Canada, Australia, UK, Western Europe, but the third world countries will be bring you a steady income for a long time to! 95% of the money that I get for clicks from feed providers, I’m pay for your your ads.

    The about page for SevPod goes on:

    … is the latest revolutionary affiliate program by substitution SERPs. We get maximum bids from our feed providers, 95% of the funds we receive we give to our clients. Convert clicks from almost all countries of the world. We also use more modern methods of monetizing traffic, such as pay per user activity on the site, pay per view and interactions with different content. Unlike click bot traffic, we use live traffic, so our traffic is much more expensive, and will bring you income for a long time.

    From these posts and sites, it is clear that Severa is still involved in the traffic redirection business and spam, although one could say he is focusing more on the “business” aspect of cybercrime than the technical aspects.

    The information we gathered in this post was taken from various underground sources, although all of it was essentially public. We urge any law enforcement agencies investigating Severa or the creators of BlackOS to reach out to us, as we have additional information that is not part of this post.

    Posted in Bad Sites, Malware |

    11:45 am (UTC-7)   |    by

    In these times, embracing consumerization is not only inevitable for any company; it is now, at some level, necessary. It’s become a powerful business tool, providing efficiency to the company, as well as convenience to the employees. The usage of mobile devices in corporate environments is a primary example of how enterprises apply consumerization, a practice that enterprises apply more and more each day.

    With continued adoption comes challenges. The risks around mobile threats are typically focused on malicious apps, but for enterprises there are other problems. Since the devices are used to store, send, and receive corporate data, protecting them from unauthorized access is critical to the company. So how can we maintain enterprise-level security in consumer-level devices?

    The risks entailed by consumerization has proven to be difficult to deal with — the complexity of managing multiple platforms, separating personal and corporate data, avoiding data leakage, and addressing privacy concerns has enterprises struggling to find the balance between convenience and security. And as the balance remains to be achieved, the risk grows. Mismanaging consumerization has proven to be costly for enterprises, as cybercriminals now see the inclusion of mobile devices in enterprise networks as an addition to their attack surface — a new vector that they can use to infiltrate.

    In the past we’ve talked about a three-step plan to consumerization, which includes having a plan, identifying a set of policies to implement, and putting in the right infrastructure to apply the identified policies.

    Our Trend Micro Safe Mobile Workforce is an example of the infrastructure that can be used in embracing consumerization. It is a virtual mobile infrastructure solution that aims to answer the needs of both IT managers and employees in consumerization by providing a clear infrastructure that separate corporate and personal data. It hosts the mobile operating system on centralized servers to provide a safe infrastructure whenever users need to access corporate information.

    What does this mean for users? It means that their corporate mobile environment is not stored in their device, so their data remains secure even if the device gets lost. They can also access their environment from any location, without being tied to a single device. This also means that there is no limitation in terms of functionality when the employee uses the device for personal purposes.

    What does this mean for IT administrators? it means that they will be able to fully manage and maintain all corporate environments connected to the network (Android and iOS) through the centralized server. And since Safe Mobile Workforce completely separates corporate and user data, administrators get to have full control of the corporate environment without worrying about privacy concerns from the employees.

    To get a better idea of how the Trend Micro Safe Mobile Workforce works, check out our infographic, Split Screen: Separating Corporate from Personal Data on Mobile Devices.

    Posted in Data, Mobile |

    6:30 am (UTC-7)   |    by

    Apart from those apps that register users for unwanted services and those that aggressively push ads, Android users should also worry about apps with backdoor capabilities.

    While premium service abusers and adware accounted for the majority of malicious apps in 2012, they are, however, not the only threats to Android. Reports of a botnet running on more than a million of smartphones recently made the headlines, which goes to show that attacks aimed at Android devices are varied and far from over.

    Prior to these reports, we have been seeing these malware  since July 2012 and have so far detected 4,282 in the wild. The related samples we analyzed (detected by Trend Micro as ANDROIDOS_KSAPP.A, ANDROIDOS_KSAPP.VTD, ANDROIDOS_KSAPP.CTA, ANDROIDOS_KSAPP.CTB, and AndroidOS_KSAPP.HRX ) were from a certain third-party app store, though we suspect there are other available several sites. Typically, these apps are marketed as gaming apps, some of them bearing or are repackaged versions of popular gaming titles.

    The first batch of samples we analyzed was packaged using the same app title, purportedly from the same company.

    Once any of these malicious apps is installed in a device, it communicates to the following remotes sites to acquire compressed script then parses the said script:

    • http://{BLOCKED}y.{BLOCKED}
    • http://{BLOCKED}n.{BLOCKED}
    • http://{BLOCKED}

    Read the rest of this entry »

    Posted in Mobile | Comments Off

    7:36 am (UTC-7)   |    by

    Some malware are more persistent than others – like WORM_VOBFUS. This recent heap of WORM_VOBFUS variants seen spreading on Facebook does not exhibit new routines, but it is a good reminder for users about well-known but easily forgotten safe computing practices.

    Based on our initial analysis, these WORM_VOBFUS variants that do not show any advanced routine or propagation technique. However, based on our Smart Protection Network™ feedback, the infection of these malware grew the past days.

    Aside from spreading on Facebook, there is nothing new so far about WORM_VOBFUS. So why is it still a problem? Below are some persistent issues surrounding WORM_VOBFUS.

    Read the rest of this entry »

    Posted in Malware, Vulnerabilities | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice